DATA PROTECTION ACT: LET’S TALK ABOUT CONSENT
In the last edition, we explored some of the words and phrases that are referred to in the Act. A summary of the newsflash can be accessed here.
In this next newsflash, we will look at the requirements to obtain “consent” under the Act and understand its implication on your company and business.
Consent is one of the legal grounds to process personal data under the Act. As a reminder, consent is any manifestation of express, unequivocal, free, specific and informed indication of a data subject’s wishes by a statement or clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
In other words, the data subject must provide his or her explicit approval to a data controller or data processor intending to use that data subject’s personal data. The data controller or processor must also provide clear information as to the identity of the party collecting the personal data, how the data subject’s personal data will be used and typically, what type of data will be processed. Finally, there must be no coercion or other element of forced or conditioned consent (for example, making the provision of services conditional on the data subject providing his/her consent).
It is also important to remember that the Act allows a data subject to withdraw his or her consent at any time. Whilst any subsequent withdrawal will not affect the lawfulness of any processing that was done before the consent was withdrawn, it is clear that relying on the data subject’s consent is not always the most reliable ground upon which to process personal data.
DID YOU KNOW?
A school in Sweden was fined EUR 19,000 for unlawfully processing sensitive personal data in connection with a facial recognition software that it was trialling that sought to monitor student attendance. This was notwithstanding the fact that the school had obtained the parents’ consent to such monitoring. Click here to read more about this story.
If you use or plan on using a biometric reader in your office in order to monitor your employees’ attendance (for example), make sure you have obtained the consent of your employees.